Applicant : Matthias Vogel etal. 

Serial No. : 10/642,500 

Filed : August 18, 2003 

Page : 2 of 15 



Attorney's Docket No.: 13906- 
134001 /2003P00532 US 



Amendments to the Claims : 

This listing of claims replaces all prior versions and listings of claims in the 
application: 

Listing of Claims: 

L. (Currently Amended) A computer-implemented method for generating 
access control information, the method comprising: 

receiving an access control rule that identifies a characteristic , the characteristic 
identifying an attribute from which attribute values of at least one user data entry and at 
least one object data entry are to be accessed and compared to generate access control 
information' ; 

programrnaticaHy identifying at least one user data entry in user information that 
is associat e d with includes the attribute identified by the identified characteristic; 

programmaticallv accessing, from the at least one user data entry, a first attribute 
value for the attribute identified by the identified characteristic and included in the at 
least one user data entry: 

programrnaticaHy identifying; at least one object data entry in data object 
information thatas ^floiiat o d with includes the attribute identified bv the identified 
characteristic; [[and]] 

programrnaticaHy accessing, from the at least one object data entry, a second 
attribute value for the attribute: identified bv the identified characteristic and included in 
the at least one object data entry: 

programmaticallv comparing the first attribute value with the second attribute 

value: 

based on comparison results, pfograrhmatically determining whether the first 
attribute value corresponds to the second attribute value : 
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conditioned on determining that the first attribute value corresponds to the second 
attribute value, generating access control information that permits at least one user 
associated with the at leist one user data entry in the user information to access the at 
least one object data entry in the data object information ; and 

storing the generated access control information in electronic storage . 



2. (Currently Amended) The method of claim 1 wherein: 

the identified characteristic is indirectly associated with the at least one user data 
entry in ihe user information, and 

programmatically identifying at least one user data entry in user information that 
is associat e d with includes the attribute identified by the identified characteristic 
comprises programmatically identifying at least one user data entry in user information 
that is indirectly associated with the identified characteristic; 

3. (Currently Amended) The method of claim 1 wherein: 

the identified characteristic is directly associated with the at least one user data 
entry in the user information, and 

programmatically identifying; at least one user data entry in user information that 
is associated with includes the attribute identified by the identified characteristic 
comprises programmatically identifying at ieast one user data entry in user information 
that is directly associated with the identified characteristic. 

4. (Original) The method of claim 1 wherein generating, access control 
information comprises: 

generating user access; control information that identifies the at least one entry in 
the user information that is associated with the identified characteristic, 

generating object access control information that identifies the at least one entry 
in the data object information that is associated with the identified characteristic, and 
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associating at least one entry in the user access control information with at jeast 
one entry in the data object access control information. 

5. (Original) The method of claim 4 further comprising storing the 
association of the at least one entry in the user access control information with the at least 
one entry in the data object access control information. 

6. (Original) The method of claim 4 further comprising: 
storing the data object access control information, and 
storing the user access control information. 

7. (Original) The method of claim 4 further comprising determining whether 
a particular user associated with the at least one eintry in the user access control 
information is permitted access to a particular data object that is associated with the at 
least one entry in the data object access control information wherein the determination is 
based on the association of the at least one entry in the user access control information 
with the at least one entry in the data object access control information, 

8. (Original) The method of claim 1 further comprising receiving a filter 
condition, wherein generating access control information further comprises generating 
access control information by eliminating at least one entry in the user information that 
corresponds to the received filter condition such that access control information does not 
include the. eliminated at least one entry in the user information. 

9. (Original) The method of claim 1 further comprising receiving a filter 
condition, wherein generating access control information further comprises generating 
access control information by eliminating at least one entry in the data object information 
that corresponds to the received filter condition such that access control information does 
not include the eliminated at least one entry in the data object information. 
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10. (Currently Amended) A computer system for managing access control 
information for software operating on the computer system, the system comprising: 

a data repository for access control information for software, the data repository 
including user information identifying a user characteristic for at least one entry in the 
user information, data object information identifying a data object characteristic for at 
least one entry ih the date object information, and access control rule information 
identifying a shared characteristic for at least one entry in the access control rule 
information; and 

an executable software module that causes (1) configured to: 

programmatically identify at least one user data entry in user information 
that includes an attribute identified by the user characteristic : 

programmatically access, from the at least one user data entry, a first 
attribute value for the attribute identified by the user characteristic and included in 
the at least one user data entry: 

programmatically identify at least one object data entry in data object 
information that includes an attribute identified by the data object characteristic: 
programmatically access, from the at least one object data entry, a second 
attribute value for the attribute identified by the data object characteristic and 
included in the atleast one object data entry: 

programmaticallv compare the first attribute value, th e second attribute 
value, and an attribute value identified by the shared characteristic: 

based on comparison results, programmaticallv determine whether the first 
attribute value corresponds to the second attribute value: 

programmatio comparison of th e us e r characteristic, th e data object 
characteristic, and th e shared charact e ristic and (2) g e n e ration of generate access 
control information for use in determining whether a user that is associated with 
[[an]] the at least one user data entry in the user information is permitted to access 
a data obj e ct that is associat e d with an the at least one object data entry in the data 
object information, generation of access control information comprises: 
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generating access control information that enables the user 
associated with the at least onfruser entry in the user information to access 
the at least one object data entry data obj e ct conditioned on determining 
that the first attribute value corresponds to the second attribute value 
programmatic comparison of th e us e r characteristic, the data object 
characteristic and the shared characteristic indicating that th e us e r 
characteristic corr e sponds to th e shar e d characteristic and the data object 
characteri s tic corr e sponds to th e shared characteri s tic , and 

generating access control information that prevents the user 
associated with the at least one user entry in the user information from 
accessing the at least one object data entry data obj e ct conditioned oh 
determining that the first attribute value does not correspond to the second 
attribute value; and programmatic comparison of the user characterise 
the data obj e ct charact e ristic and the shared oharacteristie indicating that 
th e u s er charact e ristic do e s not correspond to the shar e d charact e ri s tic or 
th e data obj e ct charact e ri s tic do e s not corr e spond to the shared 
characteristic 

store the generated access control information in electronic storage . 

1 1 . (Original) The computer system of claim 1 0 further comprising a second 
executable software module that causes a determination whether a user associated with an 
entry in the user information is permitted to access a data object associated with an entry 
in the data object information such that the determination is based on the generated 
access control information. 

1 2. (Original) The computer system of claim 1 1 wherein the second 
executable software module is the same executable software module as the first 
executable software module. 
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13. (Previously Presented) The computer system of claim 10 wherein the 
executable software module stores the generated access control information in electronic 
storage such that the generated access control rule information may be accessed to 
determine whether the user is permitted to access the data object when the user requests 
access to the data object subsequent to generation of the access control information. 

14. (Original) The computer system of claim 10 wherein the executable 
software module causes an association between at least one entry in the user information 
and at least one entry in the access control information when the user characteristic 
corresponds to the shared characteristic. 

15. (Original) the computer system of claim 14 wherein the executable 
software module causes an association between at least one entry in the data object 
information and at least one entry in the access control information when the data object 
characteristic corresponds to the shared characteristic, 

16. (Original) The computer system of: claim 15 wherein the executable 
software module causes a determination whether the user is permitted access, to the data 
object based on the association of the user information to the shared characteristic and the 
association between the data object information and the shared characteristic. 

1 7. (Original) The computer system of claim 1 0 wherein: 
the data repository includes: 

user group information that associates a user group with at least 
one entry in the user information, and 

access control rule information that identifies action that a user 
who is associated with group of users is permitted to perform on a data 
object, and 

the executable software module causes a determination to be made, based on an 
association of the at least one entry in the user information with the user group, as to 
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whether the user associated with the at least one entry in the user information is permitted 
to perform a particular action on a particular data object. 

18. (Currently Amended) A computer-readable medium having embodied 
thereon a computer prqgram configured to generate access control information, the 
medium comprising one or more code segments configured to: 

receive an access control rule that identifies a characteristic , the characteristic 
identi fying an attribute from which attribute values of at least one user data entry and at 
least one object data entry are to be accessed and compared to generate access control 
information; 

programmatically identify at least one user data entry in user information that is 
associated with includes the attribute identified by the identified characteristic; 

programmatically access, from the at least one user data entry, a first attribute 
value for the attribute identified by the identified characteristic and included in the at 
least one user data entry: 

programmatically identify at least one object data entry in data object information 
that i s as s o c iat e d with includes the attribute identified bv the identified characteristic; 
[[and]] 

programmatically access, from the at least one object data entry, a second 
attribute value for the attribute identified by the identified characteristic and included in 
the at least one object data entry: 

programmatically compare the first attribute value with the second attribute value: 

based on comparison results, programmatically determine whether the first 
attribute value corresponds to the second attribute value ; 

conditioned on determining that the first attribute value corresponds to the second 
attribute value, generate access control information that permits at least one user 
associated with the at least one user data entry in the user information to access the at 
least one object data entry in the data object informatio n: and 

store the generated access control information in electronic storage . 
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19. (Previously Presented) The medium of claim 18 wherein the one or more 
code segments configured to generate access control information comprise one or more 
code segments configured to: 

generate user access control information thatidentifies the. at least one entry in the 
user information that is associated with the identified characteristic, 

generate object access control information that identifies the at least one entry in 
the data object information that is associated with the identified characteristic^ and 

associate at least one entry in the user access control information with at least one 
entry Hi the data object access control information. 

20. (Previously Presented) The medium of claim 19 wherein the one or more 
code segments are further configured to determine whether a particular user associated 
with the at least one entry in the user access control information is permitted access to a 
particular data object that is associated with the at least one entry in the data object access 
control information wherein the determination is based on the association of the at least 
one entry in the user acceiss control information with the at least one entry in the data 
object access control information. 

2 1 . (Previously Presented) The medium of claim 1 8 wherein the one or more 
code segments are further configured to: 

receive a filter condition, arid 

generate access control information by eliminating at least one entry in the user 
information that corresponds to the received filter condition such that access control 
information does not include the eliminated at least one entry in the user information. 

22. (Previously Presented) The medium of claim 18 wherein the one or more 
code segments are further configured to: 

receive a filter condition, and 

generate access control information further comprises generating access control 
information by eliminating at least one entry in the data object information that 
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corresponds to the received filter condition such that access control information does not 
include the eliminated at least one entry in the data object information. 

23. (Currently Amended) The method of claim 1 wherein programmatically 
identifying at least one user data entry in user information that is associated with includes 
the attribute identified bv the identified characteristic, programmatically identifying at 
least one object data entry in data object information that is associat e d with includes the 
attribute identified by the identified characteristic, and generating access control 
information that permits at least one user associated with the at least one user data entry 
in the user information to access the at least one object data entry in the data object, 
information occurs automatically without human intervention. 

24. (Currently Amended) The method of claim 1 wherein: 
programmatieally identifying at least one user data entry in user information that 

is aGPOoiated with includes the attribute identified by the identified characteristic 
comprises: 

programmatically identifying a first user data entry in user information 
that is associat e d with includes the attribute identified by the identified 
characteristic, and 

programmatically identifying a second user data entry in user information 
that is associated with includes the attribute identified by the identified 
characteristic comprises, the first user data entry being associated with a first user 
and the second user data entry being associated with a second user that is different 
than the first user, 

programmatically accessing, from the at least one user data entry, a first attribute 
value for the attribute identified bv the identified characteristic and included in the at 
least one user data entry comprises: 

rirogrammaticallv accessing, from the first user data entry, a first attribute 

value for the attribute identified by the identi fied characteristic and included in the 

first user data entry, and 
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programmaticaUy accessing, from the second user data entry, a third 
attribute value for the attribute identified by the identified characteristic and 
included in the second user data entry. 

programmaticaUy identifying at least one object data entry in data object 
information that is associated .with includes the attribute identified bv the identified 
characteristic comprises programmaticaUy identifying a first data object in data object 
information that is associated with includes the attribute identified bv the identified 
characteristic, [[and]] 

programmaticaUy accessing, from the at least one object data entry, a second 
attribute value for the attribute identified by the identified characteristic and included in 
the at least one object data entry comprises programmaticaUy accessing, from the first 
data object, a second attribute value for the attribute identified by the identified 
characteristic and included in the first data object. 

programmaticaUy comparing the first attribute value with the second attribute 
value comprises programmaticaUy comparing the first attribute value with the second 
attribute value and the third attribute value with the second attribute value. 

based on comparison results. programmaticaUy determining whether the first 
attribute value corresponds to the second: attribute value comprises programmaticaUy 
determining whether the first attribute value corresponds to the second attribute value and 
whether the third attribute value corresponds to the second attribute value. 

conditioned on determining that the first attribute value corresponds to the second 
attribute value, generating access control information that permits at least one user 
associated with the at least one user data entry in the user information to access the at 
least one object data entry in the data object information comprises , conditioned, on 
determining that the first attribute value corresponds to the second attribute value and the 
third attribute value corresponds to the second attribute value, generating first access 
control rule information that enables the first user to access the first data object and 
second access control rule information different than the first access control rule 
information that enables the second user to access the first data object. 
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25. (Previously Presented) The method of claim 24 further comprising: 
storing the generated access control information in electronic storage. 



26. (Previously Presented) The method of claim 25 wherein storing the 
generated access control information in electronic storage comprises: 

storing a first access control information data record that includes a first user 
identifier that identifies the first user and a first data object identifier that identifies the 
first data object, and 

storing a second access control information data record that includes a second 
user identifier that identifies the second user and a second data object identifier that 
identifies the first data object. 



